\newcommand{\comment}[1]{}


\begin{slide}{Call Graph}
\begin{itemize}
\item Collection of edges representing {\red all} method invocations known to Soot
\begin{itemize}
\item explicit method invocations
\item implicit invocations of static initializers
\item implicit calls of {\tt Thread.run()}
\item implicit calls of finalizers
\item implicit calls by {\tt AccessController}
\item \ldots
\end{itemize}
\item {\tt Filter} can be used to select specific kinds of edges
\end{itemize}
\end{slide}

\begin{slide}{Call Graph Edge}
\begin{itemize}
\vspace*{-5mm}
\item Each {\tt Edge} contains
\begin{itemize}
\item Source method
\item Source statement (if applicable)
\item Target method
\item Kind of edge
\end{itemize}
\end{itemize}
\newcommand{\dott}[1]{\rnode{#1}{$\bullet$}}
\begin{tabular}{|c|c|c|c|}
\hline
source m. & source stmt. & target m. & kind\\
\hline
\dott{src} & \dott{stmt} & \dott{tgt} & VIRTUAL \\
\hline
\end{tabular}
\newcommand{\tab}{\hspace*{8mm}}
\vspace*{6mm}\\
\begin{minipage}{2in}
\tt
\rnode{foo}{foo()} \{\\
\tab \rnode{foos}{o.bar();}\\
\}
\end{minipage}
\begin{minipage}{2in}
\tt
\rnode{bar}{bar()} \{ \\
\tab /* */ \\
\}
\end{minipage}
\newcommand{\arrow}[2]{\nccurve[arrowsize=.3,angleA=270,angleB=45]{->}{#1}{#2}}
\arrow{src}{foo}\arrow{tgt}{bar}\arrow{stmt}{foos}\nccurve[arrowsize=.3,linestyle=dashed,angleB=180]{->}{foos}{bar}
\end{slide}

\begin{slide}{Edge Kinds}
\vspace*{-6mm}
{
\tiny\bf
\begin{verbatim}
/** Due to explicit invokestatic instruction. */
public static final int STATIC = 1;
/** Due to explicit invokevirtual instruction. */
public static final int VIRTUAL = 2;
/** Due to explicit invokeinterface instruction. */
public static final int INTERFACE = 3;
/** Due to explicit invokespecial instruction. */
public static final int SPECIAL = 4;
/** Implicit call to static initializer. */
public static final int CLINIT = 5;
/** Implicit call to Thread.run() due to Thread.start() call. */
public static final int THREAD = 6;
/** Implicit call to Thread.exit(). */
public static final int EXIT = 7;
/** Implicit call to non-trivial finalizer from constructor. */
public static final int FINALIZE = 8;
/** Implicit call to run() through AccessController.doPrivileged(). */
public static final int PRIVILEGED = 9;
/** Implicit call to constructor from java.lang.Class.newInstance(). */
public static final int NEWINSTANCE = 10;
\end{verbatim}
}\sablefootnote{soot.jimple.toolkits.callgraph.Edge}
\end{slide}

\begin{slide}{Querying Call Graph}
\begin{description}
\item[\texttt{edgesOutOf(SootMethod)}] iterator over edges with given source method
\item[\texttt{edgesOutOf(Unit)}] iterator over edges with given source statement
\item[\texttt{edgesInto(SootMethod)}] iterator over edges with given target method
\begin{tabular}{|c|c|c|c|}\hline {\red main()}&o.foo();&C1.foo()&VIRTUAL\\\hline\end{tabular}
\begin{tabular}{|c|c|c|c|}\hline {\red main()}&o.goo();&C1.goo()&VIRTUAL\\\hline\end{tabular}
\begin{tabular}{|c|c|c|c|}\hline {\red main()}&o.goo();&C2.goo()&VIRTUAL\\\hline\end{tabular}
{\gray \begin{tabular}{|c|c|c|c|}\hline bar()&o.foo();&C2.foo()&VIRTUAL\\\hline\end{tabular}}
\end{description}
\sablefootnote{soot.jimple.toolkits.callgraph.CallGraph}
\end{slide}

\begin{slide}{Querying Call Graph}
\begin{description}
\item[\texttt{edgesOutOf(SootMethod)}] iterator over edges with given source method
\item[\texttt{edgesOutOf(Unit)}] iterator over edges with given source statement
\item[\texttt{edgesInto(SootMethod)}] iterator over edges with given target method
\begin{tabular}{|c|c|c|c|}\hline main()&o.foo();&{\red C1.foo()}&VIRTUAL\\\hline\end{tabular}
{\gray \begin{tabular}{|c|c|c|c|}\hline main()&o.goo();&C1.goo()&VIRTUAL\\\hline\end{tabular}}
{\gray \begin{tabular}{|c|c|c|c|}\hline main()&o.goo();&C2.goo()&VIRTUAL\\\hline\end{tabular}}
\begin{tabular}{|c|c|c|c|}\hline bar()&o.foo();&{\red C1.foo()}&VIRTUAL\\\hline\end{tabular}
\end{description}
\sablefootnote{soot.jimple.toolkits.callgraph.CallGraph}
\end{slide}

\begin{slide}{Adapters}
\begin{itemize}
\item Adapters make an iterator over edges into an iterator over
\begin{description}
\item[{\texttt{Sources}}] source methods
\item[{\texttt{Units}}] source statements
\item[{\texttt{Targets}}] target methods
\end{description}
\end{itemize}
\newcommand{\src}[1]{\begin{tabular}{|c|}\hline {\red $src_#1$}\\\hline\end{tabular}}
\newcommand{\edge}[1]{\begin{tabular}{|c|c|c|c|}\hline {\red $src_#1$}&$stmt_#1$&$tgt_#1$&$kind_#1$\\\hline\end{tabular}}
\begin{minipage}{2.5in}
\edge{1}\\
\edge{2}\\
\edge{3}\\
\end{minipage}
\begin{minipage}{1in}
\src{1}\\
\src{2}\\
\src{3}\\
\end{minipage}
\sablefootnote{soot.jimple.toolkits.callgraph.\{Sources,Units,Targets\}}
\end{slide}

\begin{slide}{Code Example}
\vspace*{-5mm}
\begin{verbatim}
void mayCall( SootMethod src ) {
   CallGraph cg =
            Scene.v().getCallGraph();
   Iterator targets =
     new Targets(cg.edgesOutOf(src));

   while( targets.hasNext() ) {
      SootMethod tgt =
         (SootMethod) targets.next();
      System.out.println( ""+
        src+" may call "+tgt );
   }
}
\end{verbatim}
\end{slide}

\begin{slide}{Reachable Methods}
\begin{itemize}
\item \texttt{ReachableMethods} object keeps track of which methods are
reachable from entry points
\end{itemize}
\begin{description}
\item [\texttt{contains(SootMethod)}] tests whether method is reachable
\item [\texttt{listener()}] returns an iterator over reachable methods
\end{description}
\end{slide}

\begin{slide}{Code Example}
\begin{verbatim}
ReachableMethods rm =
      Scene.v().getReachableMethods();

if( rm.contains( myMethod ) ) 
    // myMethod is reachable

Iterator it = rm.listener();
while( it.hasNext() ) {
    SootMethod method = 
        (SootMethod) it.next();
    // method is reachable
}
\end{verbatim}
\end{slide}

\begin{slide}{Transitive Targets}
\begin{itemize}
\item {\tt TransitiveTargets} class takes a {\tt CallGraph} and
optional {\tt Filter} to select edges
\end{itemize}
\begin{description}
\item [\texttt{iterator(SootMethod)}] iterator over methods transitively
called from given method
\item [\texttt{iterator(Unit)}] iterator over methods transitively
called from targets of given statement
\end{description}
\end{slide}

\begin{slide}{Implementation Big Picture}
\newcommand{\cls}[2]{\rnode{#2}{\psframebox{\begin{tabular}{c}#1\end{tabular}}}}
\vspace*{-5mm}
\begin{psmatrix}[colsep=.2,rowsep=.4]
\cls{Entry Points}{ep}\\
&\cls{Scene}{scene}&\cls{Call Graph}{cg}\\\ \\
\cls{Reachable\\Methods}{rm}&\cls{Call Graph\\Builder}{cgb}&\cls{Points-to}{pt}\\
\ \\
&&\cls{Naive}{naive} \cls{Spark}{spark}
\end{psmatrix}
\psset{arrowsize=.3}
\nccurve[angleA=270,angleB=175]{->}{ep}{scene}\mput*{\tiny methods}
\nccurve[angleA=185,angleB=90]{->}{scene}{rm}\mput*{\tiny methods}
\nccurve[angleA=270,angleB=265]{->}{rm}{cgb}\mput*{\tiny methods}
\nccurve[angleA=90,angleB=80]{->}{cgb}{rm}\mput*{\tiny edges}
\nccurve[angleA=90,angleB=135]{->}{cgb}{pt}\mput*{\tiny edges}
\nccurve[angleA=90,angleB=225]{->}{cgb}{cg}\mput*{\tiny edges}
\nccurve[angleA=225,angleB=275]{->}{pt}{cgb}\mput*{\tiny receiver types}
\ncangles[angleA=90,angleB=270,arrowinset=0]{->}{naive}{pt}
\ncangles[angleA=90,angleB=270,arrowinset=0]{->}{spark}{pt}
\end{slide}

\comment{
\begin{slide}{Reachable Methods}
\begin{itemize}
\item {\tt ReachableMethods} class requires
\begin{itemize}
\item collection of entry points
\item call graph
\item optional edge filter
\end{itemize}
\item Updates list of reachable methods as edges added to call graph
\item Edge removals are ignored
\end{itemize}
\end{slide}

\begin{slide}{Queues}
\begin{itemize}
\item Used throughout Soot to communicate events
\item Objects added to queue can be read by multiple QueueReaders
\begin{itemize}
\item QueueReaders are like Iterators
\end{itemize}
\item In Call Graph, there are Queues for
\begin{itemize}
\item added edges
\item methods that become reachable
\end{itemize}
\end{itemize}
\end{slide}

\begin{slide}{Call Graph Builder}
\begin{itemize}
\item Analyzes methods that become reachable, adding edges
to call graph
\item Uses {\tt PointsToAnalysis} interface to resolve receiver
types for virtual calls
\begin{itemize}
\item {\tt DumbPointsToAnalysis} gives CHA
\item Spark gives RTA, VTA, more precise analyses
\end{itemize}
\end{itemize}
\end{slide}
}

